Toespraak van minister Alexander De Croo voor de Cyber Security Conference 2017 van de NAVO/NIAS2017

Ladies & Gentlemen,

It is a pleasure to open NATO’s annual cyber symposium this year here in Mons, where we find ourselves at the technical heart of NATO’s cybersecurity activity

We are here to discuss over the coming three days how we can ensure the protection and resilience of our defence systems, in a world where the level of threat from cyber-space has never been as high as today. And this is just the start.

Cyber-security has become a major issue in our countries. The potential for large-scale damage at collective and individual level has been proven very recently with the massive ransomware cyber-attacks and foreign efforts to interfere in elections in the US and France.

Recent figures show that digital threats are evolving fast: since the beginning of 2016, more than 4,000 ransomware attacks have occurred worldwide, every day, a 300% increase since 2015, while 80% of European companies have been affected last year. The economic impact of cybercrime rose fivefold from 2013 to 2017, and could further rise by a factor of four by 2019. 

In addition, it is now also more and more clear, that foreign powers are actively running a continuous social media shell game to attack our social fabric, to stoke political divisions on an enormous scale, with the goal to destabilize our democracies and way of life.

Unsurprisingly, cyber-instruments have very quickly gained the status of new weapons in the field of warfare. They are non-classical weapons for sure, yet very effective and capable of generating not only destruction but also large-scale chaos. In combination with classical military elements they offer the potential for hybrid warfare.

Cyber-security has therefore become a priority focus area in which we urgently need to step up international efforts to coordinate and streamline national policy. Both the EU and NATO are becoming increasingly active in this field, and complementarity needs to be ensured. Belgium has always been a strong supporter of EU-NATO cooperation, including in the field of cyber-security, which will be an important topic for the NATO summit next year.

The NATO Cyber Pledge, supported by all Allies at the Summit in Warsaw last year, generated a whole new dynamic in the cyber domain. For the first time in history, all national authorities involved actually came together to assess our national positions – and by extension our national ambitions – to enhance our resilience against cyber-attacks.

I am glad to observe that Belgium was amongst the first three Allies to actually deliver their self-assessment report to NATO. Overall, it was a challenging exercise and there remains a lot of room for (national) improvement on certain items of the Pledge. These are to be evaluated at next year’s re-assessment. I am confident, however, that the Belgian Centre for Cybersecurity will continue and play its role of co-ordination between the national entities to improve on this matter.

 
What are we currently doing in Belgium?

As the Belgian Minister in charge of Digital Agenda, my job is to the increase the connectivity of individuals, companies and governments. This entails risks: the more connected you are, the more vulnerable you also become. Digital Agenda and Cybersecurity therefore go hand in hand. We need to ensure that all of these actors that are connected today, dispose of the needed skills and tools to protect themselves from potential risks. The digital society can only function when it can be trusted by everyone. 

In Belgium we work closely together with the Centre for Cyber Security under the authority of the Prime Minister, to more effectively protect our public authorities, businesses and consumers.

After the terrorist attacks in Brussels of March 22nd last year, a lot of attention was paid to our physical safety. But cyber-attacks and cyber espionage are at least as big a threat to our security, our economy and our democracy.

Please allow me to give you a short overview of what we have done in Belgium over the past few years to increase our efforts in the field of cybersecurity:

  • The Center for Cybersecurity (CCB) was established in 2014 and plays the role of central national authority in the field of cybersecurity. It was strengthened by the Federal Cyber ​​Emergency Team CERT.be, which was transferred to the CCB in early 2017 and is still increasing its staff.
  • Since its launch the CCB is taking action to provide public authorities, businesses and with support and advice on how to more effectively protect themselves against cybersecurity threats.
  • The CCB also plays a coordinating role and has launched a number of initiatives to improve the cybersecurity of Belgium’s critical infrastructures and ensure cooperation between all actors involved.
  • A Cyber Emergency Response Plan, aimed at setting up a response structure for handling cybersecurity crises and incidents that require national-level coordination was approved in April 2017. Purpose is to harmonise the actions government services take to manage national cyber incidents, and ensure the rapid, accurate sharing of information between services.
     

This is what already happened today. But also for the future, a range of concrete measures to strengthen cyber security in our country are being put in place:

24/7 call center for vital sectors

The services of the Federal Cyber ​​Emergency Team CERT.be will be expanded with a call center that will be available 24/7. Companies from vital sectors such as the energy sector, the financial sector and the transport sector will be able to call the call center in case of cyber attacks.

Early Warning System for critical infrastructures

To address threats to vital sectors, within the federal Cyber ​​Emergency Team CERT.be a warning system will be launched that proactively informs vital sectors of potential threats. These sectors gain access to information about incidents, threats, trends and vulnerabilities with regard to critical infrastructures through a joint platform.

More attention for information and awareness

The CCB will set up both large-scale and targeted information and sensitization campaigns.

This is particularly important for SMEs. About 45% of cyber-attacks on businesses today are targeted at SMEs, because their security is often weaker, but also because they often are an entry into other networks. They need to be better informed and sensitized about how to better protect themselves online. An online course specifically for SME’s is currently being elaborated.

Web tool for cyberrisk analysis

The federal government services will be able to use a new analysis tool for cyber-risks. The web application should allow government departments to make faster risk analyses and take appropriate measures. The new tool allows for partial automation of the risk management of the various government departments. In a next phase, a similar tool must be available to the private sector.

New Center for Protection of Critical Public Infrastructure

A “Computer Security Operation Center” is created for the federal government. The Center will be deployed to better protect the critical infrastructure of the government. More specifically, incident detection and monitoring services are offered as well as coordination of response to incidents.
 

The elements I just put forward relate to the Belgian context, but the challenges for the future of cybersecurity are global.

First of all, we need more cooperation at international level…

Cybercrime is an international phenomenon which requires an international response.

Not only NATO but also the European Union is increasingly addressing the issue of cybersecurity, and we need to ensure complementarity between the actions of both institutions.

The European Union is rapidly developing answers to the growing international cyber threats. In 2013 a first cybersecurity strategy was proposed. In June the Member States agreed on a cyber diplomatic toolbox, identifying possible diplomatic answers to incidents and attacks and thereby increasing its deterrence capabilities. Most recently, in September the European Commission proposed an ambitious cybersecurity package, identifying key enabling elements to build the necessary trust for the Digital Single Market and the answers that the EU can offer. This package touches upon a large range of topics, from the role of ENISA to a European certification framework, emergency response and innovation. Also the issues of e-evidence and encryption are treated, as well as measures to strengthen international cooperation on cybersecurity.

Cybersecurity is currently at the core of political discussions in Europe, showing its importance.  The European NIS Directive, which is to be implemented by May 2018, is a major step forward for the EU. For the first time we are going to have an EU wide cybersecurity legislation. Especially the sharing of information on incidents and potential risks between national CSIRTs will allow Member States to react more rapidly and protect themselves more efficiently. This international cooperation should considerably increase the costs for cybercriminals

Secondly we need to be future looking…

Today we are still too often busy fixing problems of the past.

With tens of billions of devices expected to be connected to the Internet by 2020, the interconnectedness of things does not only mean a potentially larger impact of attacks (cascade effects), but also new types of criminal behaviour e.g. hacking of intelligent transportation or medical devices connected to the Internet.

Where risks so far mostly concerned the data itself, with IoT cybercrime will present more and more risks in the physical world.

We do not necessarily need new rules, but rather clarification on how existing principles apply to these new technologies.

We also need new ways of working including:

  • much more cooperation between a variety of actors involved.
  • Increasing the use of new technologies such as Artificial Intelligence and Advanced Machine Learning in order to develop the next generation of cyber security tools

Thirdly, we need a change of culture across organisations

Digital is everywhere today. This means that all security measures need to have a digital aspect and we need to take into account a few basic principles:

1. Cooperation: both government and private sector can’t solve problems on their own. National policy-makers are still too much disconnected from the centres of industry and research where much innovation is happening. Government should take leadership to, together with private sector, fix vulnerabilities on a risk based approach. The NIAS conference is a good example of increasing attempts to bridge the gap between private and public sector in the field of cybersecurity.

2. We need better digital skills and more hackers: people that check the security of systems or that design systems should not think as compliance officers: a checklist with boxes to tick doesn’t work to protect ourselves against cyber threats.

3. We need to reverse the logic of hiding weaknesses: today our regulatory system gives incentives to hide weaknesses: people are expected to guarantee that all risks are covered, not to point out what risks may still exist. Otherwise it means that they didn’t do their job right or that they should be fined. This is wrong: we should give incentives to come forward with vulnerabilities and ask for help and cooperation. There is still too much taboo and shame to share information on cyber incidents.

4. Security should not only be a technical issue but also a management issue. Security is never absolute: an organisation cannot simply build a wall behind which it can protect itself. It is a matter of balancing: security vs. usability; openness vs. closedness,… Organisations should therefore also think about how to strengthen the weakest link (people and their behavior), an issue also discussed at this conference.

And finally, a few caveats…

Efforts to provide more security, more autonomy and more resilience should not lead to a de facto “segmentation”, but remain within the core values of a safe, secure and open internet:

  • Unduly monitoring online activities or data streams go against the free exchange of ideas
  • Data localization may give a sense of security but will hamper technological progress in the long run.

The internet should remain a source for creativity and innovation, economic growth and democratic empowerment.

In the end, technology has always been a great liberator. It is an incomparably powerful vector for freedom. It has helped millions of people throughout history to exercise their civil liberties. That is why authoritarian regimes are limiting their population’s access to technology.

Let us not make the same mistake. Let us make sure that we use technology to enforce and safeguard our freedoms, not to limit them unnecessarily.
 

Conclusion

Cybersecurity today concerns everyone: the question is not if you will be attacked, but when.

Cyberattacks pose an existential threat to our security, our economies and our democracies today. Not only at a technical level, but also by eroding the trust of citizens.

I am therefore very pleased that you are all here today to strengthen cooperation across NATO members, and across public and private sector. The main thing is to work more closely together so that we reduce the risks, both at national and at international level.

I hope this symposium will bring you new insights on the most pressing cybersecurity challenges and very practical ways and partnerships to secure our connected forces and protect our institutions.